Troubleshooting Users and Roles

This section describes procedures used to troubleshoot users and roles created and maintained in the Cisco MDS 9000 Family Switch products. It includes the following sections:

Overview

Initial Troubleshooting Checklist

User and Role Issues

Troubleshooting Users and Roles with Cisco ACS

Overview

The CLI and SNMP use common roles in all switches in the Cisco MDS 9000 Family. You can use the CLI to modify a role that was created using SNMP and vice versa. A user configured through the CLI can access the switch using SNMP (for example, Fabric Manager or Device Manager) and vice versa.

User Accounts

Every Cisco MDS 9000 Family switch user has the account information stored by the system. You can add up to 256 users to a switch. The authentication information, user name, user password, password expiration date, and role membership are stored in the user profile.

The most important aspect of a user is creating a strong password. Weak passwords are not accepted by Cisco SAN-OS, whether you try to configure them locally or attempt authentication using an AAA server.

A strong password has the following characteristics:

Contains at least eight characters.

Does not contain many consecutive characters (such as "abcd").

Does not contain many repeating characters (such as "aaabbb").

Does not contain dictionary words.

Does not contain proper names.

Contains both uppercase and lowercase characters.

Contains numbers.

The following examples show strong passwords:

If2CoM18

2004AsdfLkj30

Cb1955S21

If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Passwords are case-sensitive. The default password for any Cisco MDS 9000 Family switch is no longer "admin". You must explicitly configure a strong password.

Note:

Clear text passwords can only contain alphanumeric characters. Special characters such as the dollar sign ($) or the percent sign (%) are not allowed.

Cisco MDS SAN-OS does not support all numeric user names, whether created with TACACS or RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric user name exists on an AAA server and is entered during login, the user is not logged in.

Role-Based Authorization

Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based authorization limits access to switch operations by assigning users to roles. This kind of authentication restricts users to management operations based on the roles to which they have been assigned the user.

When you execute a command, perform command completion, or obtain context sensitive help, the switch software allows the operation to progress if you have permission to access that switch operation.

Each role can be assigned to multiple users and each user can be part of multiple roles. If a user has multiple roles, the user has access to a combination of roles. For example, if role1 users are only allowed access to configuration commands, and role2 users are only allowed access to debug commands, then if Joe belongs to both role1 and role2, he can access configuration as well as debug commands.

Note:

If a user belongs to multiple roles, the user can execute a union of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose you belong to a TechDocs group and you were denied access to configuration commands. However, you also belong to the engineering group and have access to configuration commands. In this case, you will have access to configuration commands.

Tip: Any role, when created, does not allow user access to the required commands immediately. The administrator must configure appropriate rules for each role to allow user access to the required commands.}}

Rules and Features for Each Role

Up to 16 rules can be configured for each role. The user-specified rule number determines the order in which the rules are applied. For example, rule 1 is applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the network-admin role cannot perform commands related to roles.

For example, if user A is permitted to perform all show commands, user A cannot view the output of the show role command if user A does not belong to the network-admin role

The rule command specifies operations that can be performed by a specific role. Each rule consists of a rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec, debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface).

Note:

In this case, exec commands refer to all commands in the EXEC mode that do not fall in the show, debug, and clear categories.

The order of rule placement is important. For example, the first rule permits user access to all config commands. and the next rule denies FSPF configuration to the user. As a result, the user can perform all config commands except fspf configuration commands.

Note:

If you had swapped these two rules and issued the deny config feature fspf rule first and issued the permit config rule next, you would be allowing the user to perform all configuration commands because the second rule globally overrode the first rule.

Initial Troubleshooting Checklist

Begin troubleshooting user and role issues by checking the following issues:

User is not logged into Fabric Manager or Device Manager with a privacy password.

Log into Fabric Manager or Device Manager with a password and a privacy password. A privacy password is required to manage users via the GUI.

Note:

If you have logged in as a network-admin using MDS authentication, Device Manager and Fabric Manager automatically provide the appropriate encryption for this task, even if you did not specify a specific privacy password.

User Cannot Access Certain Features

Symptom User cannot access certain features.

Table 18-4 User Cannot Access Certain Features

Symptom

Possible Cause

Solution

User cannot access certain features.

User is assigned incorrect role.

For RADIUS, configure the vendor-specific attributes on the server for the role using Cisco-AVPair = "shell: roles = "<rolename>" ".

For TACACS , configure the attribute and value pair on the server for the role using roles="vsan-admin storage-admin".

See the "Verifying Roles Using Device Manager" section or the "Verifying Roles Using the CLI" section.

Role is not configured for appropriate access.

See the "Verifying Roles Using Device Manager" section or the "Verifying Roles Using the CLI" section.

User Cannot Configure E Ports

See the "Verifying VSAN-Restricted Roles Using Fabric Manager" section or the "Verifying VSAN-Restricted Roles Using the CLI" section.

Unexpected User Displayed in Logs

Symptom Unexpected user displayed in logs.

Table 18-8 Unexpected User Displayed in Logs

Symptom

Possible Cause

Solution

Unexpected user displayed in logs.

Temporary user created by SNMP, Fabric Manager, or Device Manager.

Temporary users are created by Fabric Manager, Device Manager, or other applications using SNMP. This is normal behavior. These temporary users have a one hour expiration time. If you have an unexpected user with different characteristics, you should investigate that user or use the clear user CLI command to terminate that user session.

Troubleshooting Users and Roles with Cisco ACS

To troubleshoot user and role issues with Cisco ACS, follow these steps:

1. Choose Network Configuration using Cisco ACS and view the AAA Clients table to verify that the Cisco SAN-OS switch is configured as an AAA client on Cisco ACS.